b'                           UK ITED STATES OF FICE OF PERSONI"EL MA KAGEM Ef\\T\n\n                                              Wash ington, DC 204 j5\n\n\n\n   Office of the\nInspector General\n\n                                              Audit Report\n\n\n                              u .s, OFFICE OF PERSON:"!EL MANAGEMf.:"T\n\n                        AUDIT OF THE IlWOR\'IATIO:"! TECH]\\"OLOGY SECUIUTY\n                     CONTROLS OF rtuc u.s. onlCE OF PERSONNf.1. MANAGf.ME1\'TS\n                              t:NTI:RPRISt; St;RVER INFRASTlHJCTlJltE\n                                    GENERAL S{;PPORT SYSTE:\\f\n                                                FV 2011\n\n                                             WASHI]\\"GTON. D.C.\n\n\n\n\n                                     Report No. 4A-CI-OO-ll-016\n\n\n                                     Date:           5 / 16/2 0 1 1\n\n\n\n\n                                                                    ;;:1/ t~(;;\'\n                                                                              ./   ..\n\n\n\n\n                                                                        Michael R. Esser\n                                                                        Assistant Inspector General\n                                                                           for Audits\n\n\n\n\n        .......opm \xc2\xb7llov                                                                    .. ww. u s aj o b s , j( OY\n\n\x0c                               UNIT ED STATES OFFICE OF PERSON.:-.lEL              ~1A N AG EME :,-[ T\n                                                    Wa~ h in g ton ,   DC 20\xc2\xb711S\n\n\n  Office of the\ntnspecror Ijeneral\n\n                                                   Executive Summary\n\n                                       u.S. OFFICE OF PERSON:IIEL :\\IANAGEMEl"T\n\n\n                             AUDIT OF TIlE INFORMATION TECIINOLOGY SEClJlUTY\n\n                          CONTROLS OF THE U.S. OFFICE OF PERSONNEL :\\IANAGEME:IIT\'S\n\n                                   ENTERPIUSE SERVER INFRASTRUCTURE\n\n                                         GE:IIERAL S{;PPORT SVSTDI\n\n                                                   FV 2011\n\n\n                                                      WASHINGTON, D.C.\n\n\n\n\n                                               Report No. 4A-CI-OO-ll-O 16\n\n\n                                               Date:                    5/ 16/20 1 1\n\n             This final audit report discusses the results of our review of the information technology security\n             controls of the U.S. Office of Personnel Management \' s (Ol\' M) Enterprise Server Infrastructure\n             General Support System (ESI). Our conclusions arc detailed in the "Results" section of this\n             report.\n\n             During this audit we documented the following opportunities for improvem ent:\n                     \xe2\x80\xa2\t The ESI information system security plan (ISSP) was prepared in accordance with the\n                        fermat and methodology outlined in )JIST guidance, However, the ESI lSS P does not\n                        contain details of the interconnections between ESI and other systems as required by\n                        NIST SP 800- 18.\n                     \xe2\x80\xa2\t Several weaknesses identified during disaster recow ry exercises have not been addressed\n                        or remediated.\n                     \xe2\x80\xa2\t The Office of the Chief Info rmation Officer (OCIO) has not (annalI)\'\n                        documented common contro ls provided by ESI or implemented a process to share this\n                        informat ion with the own ers of other applications relying on this support system.\n\n\n\n\n        .. w... opm\xc2\xb7eov                                                                                  www, u saj obs .g ov\n\x0cWe also determined that the following elements of the ESI security program appear to be in\nfull FISMA compliance:\n\xe2\x80\xa2   A security certification and accreditation (C&A) of ESI was completed in September\n    2010 by the Bureau of Public Debt.\n\xe2\x80\xa2   The OIG agrees with the security categorization of \xe2\x80\x9chigh\xe2\x80\x9d for ESI.\n\xe2\x80\xa2   A risk assessment was conducted for ESI in 2010 that addresses all the required elements\n    outlined in relevant NIST guidance.\n\xe2\x80\xa2   The security controls of ESI were tested by an independent source and internally by the\n    OCIO.\n\xe2\x80\xa2   The ESI contingency plan is routinely maintained and tested in accordance with NIST\n    Guidance.\n\xe2\x80\xa2    A privacy threshold analysis (PTA) was conducted for ESI. The PTA revealed that ESI\n    does not require a privacy impact assessment. We agree with this assessment.\n\xe2\x80\xa2   The ESI Plan of Action and Milestones (POA&M) follows the format of the OPM\n    POA&M guide, and has been routinely submitted to the Office of the Chief Information\n    Officer for evaluation.\n\xe2\x80\xa2   We independently tested 24 security controls for ESI and found that 1 of the security\n    controls was not in place during the fieldwork phase of the audit.\n\n\n\n\n                                            ii\n\x0c                                                                 Contents\n                                                                                                                                               Page\n\nExecutive Summary ......................................................................................................................... i\nIntroduction ......................................................................................................................................1\nBackground ......................................................................................................................................1\nObjectives ........................................................................................................................................1\nScope and Methodology ..................................................................................................................2\nCompliance with Laws and Regulations..........................................................................................3\nResults ..............................................................................................................................................4\n         I. Certification and Accreditation Statement ........................................................................4\n        II. FIPS 199 Analysis .............................................................................................................4\n       III. Information System Security Plan .....................................................................................4\n      IV. Risk Assessment ................................................................................................................6\n       V. Independent Security Control Testing ...............................................................................6\n      VI. Security Control Self-Assessment .....................................................................................7\n     VII. Contingency Planning and Contingency Plan Testing ......................................................7\n   VIII. Privacy Impact Assessment ...............................................................................................8\n      IX. Plan of Action and Milestones Process .............................................................................9\n       X. NIST SP 800-53 Evaluation ...............................................................................................9\n   Major Contributors to this Report ..............................................................................................11\nAppendix: Office of the Chief Information Officer\xe2\x80\x99s February 3, 2011 response to the draft\n          audit report, issued January 13, 2011\n\x0c                                        Introduction\nOn December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107-347),\nwhich includes Title III, the Federal Information Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency\nreporting to the Office of Management and Budget (OMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress summarizing the material\nreceived from agencies. In accordance with FISMA, we evaluated the information technology\n(IT) security controls related to the Office of Personnel Management\xe2\x80\x99s (OPM) Enterprise Server\nInfrastructure General Support System (ESI).\n\n                                        Background\nESI is one of OPM\xe2\x80\x99s 43 critical IT systems. As such, FISMA requires that the Office of the\nInspector General (OIG) perform an audit of IT security controls of this system, as well as all of\nthe agency\xe2\x80\x99s systems on a rotating basis.\n\nThe Office of the Chief Information Officer (OCIO) has been designated with ownership of ESI.\nESI supports OPM in meeting its goals by serving as an infrastructure environment for the\nprocessing of payroll and benefit related actions for current and former federal government\nemployees. ESI operates in a                       environment. The mainframe infrastructure is\nsupported by the agency\xe2\x80\x99s Data Center Group within the OCIO.\n\nThis was our second audit of the security controls surrounding ESI. The findings from the first\nESI audit report, issued in 2004, were closed prior to the start of this audit. We discussed the\nresults of our audit with OCIO representatives at an exit conference.\n\n                                          Objectives\nOur objective was to perform an evaluation of security controls for ESI to ensure that the OCIO\nofficials have implemented IT security policies and procedures in accordance with standards\nestablished by OPM, FISMA, and the National Institute of Standards and Technology (NIST).\n\nOPM\xe2\x80\x99s IT security policies require managers of all major information systems to complete a\nseries of steps to (1) certify that their system\xe2\x80\x99s information is adequately protected and (2)\nauthorize the system for operations. The overall audit objective was accomplished by reviewing\nthe degree to which a variety of security program elements have been implemented for ESI,\nincluding:\n\xe2\x80\xa2   Certification and Accreditation Statement;\n\xe2\x80\xa2   FIPS 199 Analysis;\n\xe2\x80\xa2   Information System Security Plan;\n\xe2\x80\xa2   Risk Assessment;\n\xe2\x80\xa2   Independent Security Control Testing;\n\xe2\x80\xa2   Security Control Self-Assessment;\n\xe2\x80\xa2   Contingency Planning and Contingency Plan Testing;\n\xe2\x80\xa2   Privacy Impact Assessment;\n\n\n                                                 1\n\x0c\xe2\x80\xa2   Plan of Action and Milestones Process; and\n\xe2\x80\xa2   NIST Special Publication (SP) 800-53 Security Controls.\n\n                                Scope and Methodology\nThis performance audit was conducted in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts of the OCIO\nofficials responsible for ESI, including IT security controls in place as of January 2011.\n\nWe considered the ESI internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objective, we interviewed representatives of OPM\xe2\x80\x99s OCIO office and other\nprogram officials with ESI security responsibilities. We reviewed relevant OPM IT policies and\nprocedures, federal laws, OMB policies and guidance, and NIST guidance. As appropriate, we\nconducted compliance tests to determine the extent to which established controls and procedures\nare functioning as required.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of ESI\nare located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report. Since our audit would not necessarily disclose\nall significant matters in the internal control structure, we do not express an opinion on the ESI\nsystem of internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\xe2\x80\xa2   OPM Information Technology Security Policy Volumes 1 and 2;\n\xe2\x80\xa2   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of 2002;\n\xe2\x80\xa2   NIST SP 800-12, An Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n    Information Systems;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories;\n\xe2\x80\xa2   Federal Information Processing Standard Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems; and\n\xe2\x80\xa2   Other criteria as appropriate.\n\n\n\n                                                 2\n\x0cIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nThe audit was performed by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. The audit was conducted from November through\nDecember 2010 in OPM\xe2\x80\x99s Washington, D.C. office.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether OCIO\xe2\x80\x99s management of ESI is\nconsistent with applicable standards. Nothing came to the OIG\xe2\x80\x99s attention during this review to\nindicate that the OCIO is in violation of relevant laws and regulations.\n\n\n\n\n                                               3\n\x0c                                             Results\n I. Certification and Accreditation Statement\n\n    A security certification and accreditation (C&A) of ESI was completed in September 2010.\n\n    NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n    Information Systems, provides guidance to federal agencies in meeting security accreditation\n    requirements. The ESI C&A appears to have been conducted in compliance with NIST\n    guidance.\n\n    The Bureau of Public Debt (BPD) was contracted by the OCIO to prepare the C&A package\n    for ESI. OPM\xe2\x80\x99s Senior Agency Information Security Officer reviewed the ESI C&A\n    package and signed the system\xe2\x80\x99s certification package on September 29, 2010. OPM\xe2\x80\x99s Chief\n    Information Officer signed the accreditation statement and authorized the continued\n    operation of the system on September 29, 2010.\n\nII. FIPS 199 Analysis\n\n    Federal Information Processing Standard (FIPS) Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems, requires federal agencies to\n    categorize all federal information and information systems in order to provide appropriate\n    levels of information security according to a range of risk levels.\n\n    NIST SP 800-60 Volume I, Guide for Mapping Types of Information and Information\n    Systems to Security Categories, provides an overview of the security objectives and impact\n    levels identified in FIPS Publication 199.\n\n    The ESI security categorization analysis categorizes information processed by the system and\n    its corresponding potential impacts on confidentiality, integrity, and availability. ESI is\n    categorized with a high impact level for confidentiality, high for integrity, moderate for\n    availability, and an overall categorization of high.\n\n    The security categorization of ESI appears to be consistent with the guidance of FIPS 199\n    and NIST SP 800-60, and the OIG agrees with the categorization of high.\n\nIII. Information System Security Plan\n\n    Federal agencies must implement on each information system the security controls outlined\n    in NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems. NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal\n    Information Systems, requires that these controls be documented in an Information System\n    Security Plan (ISSP) for each system, and provides guidance for doing so.\n\n\n\n\n                                                 4\n\x0cThe ISSP for ESI was created using the template outlined in NIST SP 800-18. The template\nrequires that the following elements be documented within the ISSP:\n\xe2\x80\xa2   System Name and Identifier;\n\xe2\x80\xa2   System Categorization;\n\xe2\x80\xa2   System Owner;\n\xe2\x80\xa2   Authorizing Official;\n\xe2\x80\xa2   Other Designated Contacts;\n\xe2\x80\xa2   Assignment of Security Responsibility;\n\xe2\x80\xa2   System Operational Status;\n\xe2\x80\xa2   Information System Type;\n\xe2\x80\xa2   General Description/Purpose;\n\xe2\x80\xa2   System Environment;\n\xe2\x80\xa2   System Interconnection/Information Sharing;\n\xe2\x80\xa2   Laws, Regulations, and Policies Affecting the System;\n\xe2\x80\xa2   Minimum Security Controls;\n\xe2\x80\xa2   Plan Completion Date; and\n\xe2\x80\xa2   Plan Approval Date\n\nThe ESI ISSP contains the majority of the elements outlined by NIST. However, the ESI\nISSP does not contain details of the interconnections between ESI and other systems.\n\nThe ISSP correctly states that NIST does not require systems to list interconnections with\ninternal organizations, but the ISSP also indicates that ESI interfaces with several systems\nowned by external entities. The details of these external interfaces are not disclosed in the\nISSP as required by the NIST guide. Specifically, the ESI ISSP does not detail the following\ninformation about each interfacing system: name, organization, type of interconnection,\nauthorizations, dates of agreement, FIPS 199 category, C&A status, and name and title of\nauthorizing official.\n\nRecommendation 1\nWe recommend that the ESI ISSP be revised to include identifiers of the external systems\nthat interconnect with ESI (name, organization, type of interconnection, authorizations, dates\nof agreement, FIPS 199 category, C&A status, name and title of authorizing official).\n\nOCIO Response:\n\xe2\x80\x9cWe concur.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that the OCIO provide OPM\xe2\x80\x99s\nInternal Oversight and Compliance (IOC) with evidence indicating this recommendation has\nbeen implemented.\n\n\n\n\n                                              5\n\x0cIV. Risk Assessment\n\n    A risk management methodology focused on protecting core business operations and\n    processes is a key component of an efficient IT security program. A risk assessment is used\n    as a tool to identify security threats, vulnerabilities, potential impacts, and probability of\n    occurrence. In addition, a risk assessment is used to evaluate the effectiveness of security\n    policies and recommend countermeasures to ensure adequate protection of information\n    technology resources.\n\n    As part of the C&A process, BPD conducted a vulnerability assessment of ESI and evaluated\n    the risk of each vulnerability in accordance with NIST SP 800-30 standards. BPD identified\n    18 vulnerabilities during this assessment, and for each one documented:\n    \xe2\x80\xa2   Vulnerability Description;\n    \xe2\x80\xa2   Threat Source;\n    \xe2\x80\xa2   Existing Controls;\n    \xe2\x80\xa2   Likelihood, Impact, and Risk Rating; and\n    \xe2\x80\xa2   Control Recommendations.\n\n    ESI provided BPD sufficient evidence to close findings for five vulnerabilities and\n    determined that one vulnerability was due to a false positive test result. Remediation\n    activities for the remaining 12 vulnerabilities are appropriately tracked with the ESI Plan of\n    Action and Milestones (POA&M) (see section IX below).\n\nV. Independent Security Control Testing\n\n    A security test and evaluation (ST&E) was completed for ESI as a part of the system\xe2\x80\x99s C&A\n    process in September 2010. The ST&E was conducted by BPD, an OPM contractor that was\n    operating independently from the OCIO. The OIG reviewed the controls tested to ensure that\n    they included a review of the appropriate management, operational, and technical controls\n    required for a system with a \xe2\x80\x9chigh\xe2\x80\x9d security categorization according to NIST SP 800-53\n    Revision 3, Recommended Security Controls for Federal Information Systems.\n\n    The ST&E labeled each security control as common, system-specific, or hybrid. A common\n    control is a security control that is inherited from another system or physical environment. A\n    system-specific control is a control that is implemented directly on an individual application.\n    A hybrid control is where part of the control is deemed common and part is deemed system\n    specific. All types of controls were tested as part of the ST&E due to the fact that ESI is a\n    general support system that both inherits and provides common security controls.\n\n    The possible outcomes for each control test were fully satisfied, partially satisfied, and not\n    satisfied. BPD reviewed and tested over 200 controls as part of the ST&E and concluded\n    that 33 were partially satisfied and the rest were fully satisfied. The 33 partially satisfied\n    control tests were condensed into the 18 security weakness findings discussed in Section IV\n    above.\n\n\n\n\n                                                   6\n\x0cVI. Security Control Self-Assessment\n\n     FISMA requires that IT security controls of each major application owned by a federal\n     agency be tested on an annual basis. In the years that an independent ST&E is not being\n     conducted on a system, the system\xe2\x80\x99s owner must conduct an internal self-assessment of\n     security controls.\n\n     The designated security officer for ESI conducted a self-assessment of the system\xe2\x80\x99s controls\n     in April 2010. The assessment included a review of the relevant management, operational,\n     and technical security controls outlined in the NIST SP 800-53 Revision 3. The OCIO\n     attempts to perform a complete and thorough security self-assessment each year. The OCIO\n     did not detect any security weaknesses in the FY 2010 self-assessment.\n\n     Although the ESI self-assessment indicated that there were zero security weaknesses in the\n     system, an OIG review of the same security controls indicated that a weakness does exist (see\n     section X, below).\n\nVII. Contingency Planning and Contingency Plan Testing\n\n     NIST SP 800-34, Contingency Planning Guide for IT Systems, states that effective\n     contingency planning, execution, and testing are essential to mitigate the risk of system and\n     service unavailability. The OPM IT security policy requires that OPM general support\n     systems and major applications have viable and logical disaster recovery and contingency\n     plans, and that these plans be annually reviewed, tested, and updated.\n\n     Contingency Plan\n     The ESI Disaster Recovery (DR) Plan documents the functions, operations, and resources\n     necessary to restore and resume mainframe operations when unexpected events or disasters\n     occur. The ESI DR plan is reviewed and updated annually and contains the majority of\n     elements recommended by NIST SP 800-34 guidelines, including:\n     \xe2\x80\xa2   System background information;\n     \xe2\x80\xa2   Concept of operations;\n     \xe2\x80\xa2   Notification/activation phase;\n     \xe2\x80\xa2   Recovery operations; and\n     \xe2\x80\xa2   Procedures to return to normal operations.\n\n     Contingency Plan Test\n     NIST SP 800-34 provides guidance for conducting and documenting contingency plan tests.\n     Contingency plan testing is a critical element of a viable disaster response capability.\n\n     In May 2010, the OCIO conducted its annual disaster recovery test. The test involved\n     restoring all mission critical functions at a remote facility. The documentation resulting from\n     the testing activity contains the majority of the items required by the NIST guide including\n     the scope, objectives, participants, and logistics of the test.\n\n\n\n                                                      7\n\x0c      The test summary included a section of \xe2\x80\x9careas for further review\xe2\x80\x9d that documents the issues\n      or concerns that were discovered during the test. There were 19 issues detected during the\n      FY 2010 test, several of which were considered \xe2\x80\x9cmajor\xe2\x80\x9d in nature. The majority of the issues\n      were also identified in the disaster recovery tests from FY 2008 and FY 2009. Although the\n      OCIO has documented the fact that issues exist, it does not appear that they have attempted\n      to remediate these weaknesses. We acknowledge the fact that remediation activity for\n      several of these issues requires support from OPM program offices outside of the OCIO.\n      However, we believe that the OCIO should take primary responsibility for coordinating\n      remediation activity since ESI is a critical general support system that many other OPM\n      applications rely on for common controls.\n\n      Recommendation 2\n      We recommend that the OCIO develop and implement a plan to remediate weaknesses\n      identified during ESI disaster recovery tests; remediation activities should be tracked on the\n      ESI POA&M.\n\n      OCIO Response:\n      \xe2\x80\x9cWe disagree in part with the recommendation. Clearly there are not 19 weaknesses.\n      However, the list of observations should be reviewed to determine which, if any, of the\n      items are actual weaknesses. The Data Center agrees that any items found to be actual\n      weaknesses need to be documented in a POA&M and a plan developed to remediate them.\n      However, the Data Center does not control infrastructures outside the ESI, nor does it\n      determine which tests will be conducted by the Lines of Business or other organizations.\n      During the ESI DR exercise the Data Center recovers the ESI environment and executes\n      tests to ensure the platform is wholly recovered. While the Data Center can make test\n      recommendations, decisions regarding the testing of infrastructure external to the ESI and\n      customer applications are outside the control of the Data Center. Any weaknesses found\n      during the review of the list should be documented and tracked in the POA&M of the\n      organization responsible for taking corrective actions; not necessarily the ESI POAM.\n      Likewise, plans to remediate any weaknesses should be developed by the parties\n      responsible for taking corrective actions.\xe2\x80\x9d\n\n      OIG Reply:\n      After reviewing the OCIO\xe2\x80\x99s response to the draft report, we acknowledge that there may be\n      fewer than 19 weaknesses identified during the most recent disaster recovery exercise. The\n      intent of our recommendation is to encourage the OCIO to use the formal POA&M process\n      to track any weaknesses that are identified; a statement to which the OCIO agrees. As part of\n      the audit resolution process, we recommend that the OCIO provide IOC with evidence\n      indicating that weaknesses identified during the FY 2011 disaster recovery exercise are\n      tracked on the ESI POA&M.\n\nVIII. Privacy Impact Assessment\n\n      The E-Government Act of 2002 requires agencies to perform a screening of federal\n      information systems to determine if a Privacy Impact Assessment (PIA) is required for that\n\n\n                                                     8\n\x0c    system. OMB Memorandum M-03-22 outlines the necessary components of a PIA. The\n    purpose of the assessment is to evaluate any vulnerabilities of privacy in information\n    systems and to document any privacy issues that have been identified and addressed.\n\n    The OCIO completed an initial privacy screening of ESI and determined that a PIA was not\n    required for this system because it does not contain Personally Identifiable Information (PII).\n    Although several applications residing on the ESI mainframe contain PII, the OCIO staff\n    supporting ESI does not have access to this data.\n\nIX. Plan of Action and Milestones Process\n\n    A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and\n    monitoring the progress of corrective efforts for IT security weaknesses. OPM has\n    implemented an agency-wide POA&M process to help track known IT security weaknesses\n    associated with the agency\xe2\x80\x99s information systems.\n\n    The OIG evaluated the ESI POA&M and verified that it follows the format of OPM\xe2\x80\x99s\n    standard template, and has been routinely submitted to the OCIO\xe2\x80\x99s Security and Privacy\n    Group for evaluation. Nothing came to our attention to indicate that there are any current\n    weaknesses in the management of the ESI POA&M.\n\nX. NIST SP 800-53 Evaluation\n\n    NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems, provides guidance for implementing a variety of security controls for information\n    systems supporting the federal government. As part of this audit, we evaluated the degree to\n    which a subset of these controls had been implemented for ESI, including:\n\n    \xe2\x80\xa2   AC-2 Account Management                          \xe2\x80\xa2   IA-1 Identification and Authentication\n    \xe2\x80\xa2   AC-5 Separation of Duties                        \xe2\x80\xa2   IA-5 Authenticator Management\n    \xe2\x80\xa2   AC-6 Least Privilege                             \xe2\x80\xa2   MA-1 Maintenance Policy and Procedures\n    \xe2\x80\xa2   AC-7 Unsuccessful Login Attempts                 \xe2\x80\xa2   MA-2 Controlled Maintenance\n    \xe2\x80\xa2   AC-11 Session Lock                               \xe2\x80\xa2   MP-6 Media Sanitization and Disposal\n    \xe2\x80\xa2   AT-3 Security Training                           \xe2\x80\xa2   PE-1 \xe2\x80\x93 18 Physical and Environmental\n                                                             Controls\n    \xe2\x80\xa2   AU-2 Auditable Events                            \xe2\x80\xa2   PL-4 Rules of Behavior\n    \xe2\x80\xa2   AU-3 Contents of Audit Records                   \xe2\x80\xa2   PM-1 Information Security Program Plan\n    \xe2\x80\xa2   AU-6 Audit Review, Analysis, Reporting           \xe2\x80\xa2   PS-4 Personnel Termination\n    \xe2\x80\xa2   CA-7 Continuous Monitoring                       \xe2\x80\xa2   RA-5 Vulnerability Scanning\n    \xe2\x80\xa2   CM-2 Baseline Configuration                      \xe2\x80\xa2   SC-5 Denial of Service Protection\n    \xe2\x80\xa2   CM-3 Configuration Change Control                \xe2\x80\xa2   SI-2 Flaw Remediation\n\n    These controls were evaluated by interviewing individuals with ESI security responsibilities,\n    reviewing documentation and system screenshots, viewing demonstrations of system\n    capabilities, and conducting tests directly on the system.\n\n\n\n                                                   9\n\x0cAlthough it appears that the majority of NIST SP 800-53 Revision 3 security controls have\nbeen successfully implemented for ESI, one tested control was not fully satisfied.\n\na) PM-1 Information Security Program Plan\n\n   ESI is a general support system that provides common security controls to other\n   information systems and applications. ESI also inherits several security controls from\n   program offices outside the OCIO (primarily physical controls related to building\n   security).\n\n   Although the OCIO\xe2\x80\x99s Security and Privacy Group is currently developing a list of\n   common controls that ESI shares with other systems, this information has not been\n   formally documented and shared with other OPM program offices. Without a well\n   defined list of common controls, the owners of other systems must use their own\n   judgment to determine which security controls are inherited from ESI, increasing the risk\n   that these systems have controls that are not adequately implemented or tested.\n\n   NIST SP 800-53 Revision 3 control PM-1 states that an organization should develop an\n   agency-wide Information Security Program Plan that documents the program\n   management controls and organization-defined common controls.\n\nRecommendation 3\nWe recommend that the OCIO formally document common controls provided by ESI and\nimplement a process to share this information with the owners of other applications relying\non this support system.\n\nOCIO Response:\n\xe2\x80\x9cWe concur. This work is in progress.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that the OCIO provide OPM\xe2\x80\x99s IOC\nwith evidence indicating this recommendation has been implemented.\n\n\n\n\n                                             10\n\x0c                   Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of\nInspector General, Information Systems Audits Group. The following individuals\nparticipated in the audit and the preparation of this report:\n\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                    , Senior Team Leader\n\xe2\x80\xa2                       , IT Auditor\n\n\n\n\n                                          11\n\x0c                                                     Appendix\n\n                             UN IT ED STATES OFFIC E OF PERSO NNEL MANAGEMEN T\n\n\nChief Information\n     Offiw\n\n\n        MEMORANDUM FOR\n\n                       CIIIEF, INFORMATION SYSTEMS AUDIT GROU P\n\n                                                                                             "/\n        FROM:\t                       MATTHEW E. PERRY\n                                                                           ~~~\n                                     CHIEF INFOR..V1ATION OfFICER                 02/0 ;;-.LJ\n        Subject:\t                    Response to the Draft: Audit Report No. 4A-CI-OO- l 1-01 6\n\n                                     FY 20 11 IT Security Controls ofO PM\'s Enterp rise Server\n\n                                     Infra struc ture Ge nera! Support System\n\n\n        Thank you for the opport unity to comm ent on the su bjec t l\'Cp011. The resu lts pro vided in the\n        draft report consist of a number of recommendation s. The recomm endations are valuable to our\n        program impro vement efforts and aft er a ca reful review of the report. we offe r the following\n        comments.\n\n        III.        Informati on System Secur ity Plan\n\n        The 20 }O OIG Audit repor states: "The ESIISSP contains (he majority ofthe elements outlined\n        by NIST. However. the ESIISSr does not contain de/ails a/the interco nnections between ESt\n        and other systems. "\n\n        CIO Comment:\n\n        We concur.\n\n\n        The 20/0 OIG Audit reportrecomme nd...: "Recommen dation 1 We recommend that the ESI\n        ISSP be revised to include identifiers a/the external systems that interconnect with ESI (name,\n        organization, type ofinterconnection, authorizations. dates oj agreement, FIPS J99 category ,\n        C&A status, name and rifle ofauthorizing ofJicild). "\n\n        CTa Co mment:\n\n        We concur.\n\n\n        VII .       Contingenc y Planning and Co ntingency Plan Testing\n\n        The 201 0 OIG A udit repo rt states : " The re were 19 issues detected du ring the FY 20 10 test,\n        several of whieh were considered "maj or" in nature. The majority of the issues were abo\n        ident ified in the di sast er reco ver y tests from FV 2008 and FV 2009. A ltho ugh OCI0 has\n        document ed the fact that issues ex ist. it does not appear that that they ha ve attem pted to\n        remed iate these weaknesses."\n\n\n\n\n                                                                                                   .................job \xe2\x80\xa2.go.\n\n\x0c                                                                                                     2\n\n\nCIO Comment:\nWe disagree with this finding as it appears to reflect a misunderstanding of the 19 issues\nreferenced. The 19 issues referenced are from a list titled "Areas for Further Review" that was part\nof a Data Center internal document. This list documents observations (good and bad) from the\n2010 ESI DR exercise. The document was not intended tor publication; it was simply an internal\nrecord, and as such it had not been edited for language or for usc by personnel not intimately\nfamiliar with the ESI DR test process. The 19 observations in the list can be grouped as follows\ndepending upon their nature:\n\nObservations 4,5,10,12, and 13 were included on the list simply to document that these functions,\nwhich may not have been tested in previous exercises, were in tact successfully tested in the 2010\nESI DR exercise. Their inclusion on the list was a positive not a negative comment. They require\nno further attention.\n\nObservations 1,6, and 16 were included on the list to document that these functions that may not\nhave been tested in previous exercises were in tact successfully tested on a small scale in the FY\n20 I0 ESI DR exercise. Their inclusion on the list was intended to document their successful tests\nand suggest that broader testing might be appropriate in the future. Responsibility tor expanding\nthe testing of these three functions lies outside the purview ofthe Data Center.\n\nObservation 3 documents the fact that the capacity of circuit between the Sterling Forest DR site\nand Boyers needed to be increased. This upgrade has since been completed and the new circuit\ntested. The new circuit will be employed in the upcoming 20 II ESI DR exercise.\n\nObservations 2, 9, II, 14, IS, and 17 were included on the list to document the tact that the parties\nresponsible for these functions chose not to test them during the 2010 ESI DR exercise.\nOrganizations outside the Data Center decide which functions to test based upon their priorities,\nresources, and previous tests. These specific functions may have been tested at other times\nindependent of the ESI DR exercise. Their inclusion on the list was intended to document\nfunctions which the responsible parties may wish to consider testing during future ESI exercises.\nResponsibility for testing these six functions lies outside the purview of the Data Center.\n\nObservations 7 and 8 were included on the list to document network related configuration changes\nneeded to provide or improve disaster recovery access from specific functional areas. These\nchanges are recommended by the Data Center but are outside the control of the Data Center.\n\nObservations 18 and 19 were included on the list to document the continuous need to work as a\ntcam with other organizations in refining the ESI DR test environment preparation process. These\nitems do not affect the ability to recovery ESI services during a real disaster. The DR test\ninfrastructure configuration is much more complex than an actual disaster recovery configuration\nbecause during a DR test both the live production environment and the DR testing environment\nmust operate concurrently while physically and logically separated. Observations 18 and 19 are\npart of an ongoing process to improve preparation and deployment of the DR test environment\nwithout disruption to the live production environment. This process has no finite end point,\ninstead it evolves as technology and the OPM infrastructure evolves.\n\x0c                                                                                                           3\n\n\nBelow is the "Areas for further Review" list cited in the 0 10 draft audit. Com ments (i n bold)\nhave been included below each item to add clarity.\n\n Areas for Fur ther Review - The overall testing was quue successful with only a fe w areas which\n need to be reviewed. A num ber of the ureus could be considered major. These are in connectivity\n to the customer bas e. Ho ping the lBAf Enterp rise Servers systems available is a prerequisite of\n the test but there also lUIS to be connectivity to where the end user is located.\n\n      I.\t There was no Disaster Reco very           available p rior to the test. Network Management\n          made the? decision not to include the                   because it Wll .\\" being phased out and\n          not to include the                 because tt was too new. In the event ofa Jisaster. 1III\n          _        is noli\' being hostedfr om both TRE and Macon. GA OPM locations. The impact\n          ofnot ha ving _ availahle would he severe and mean there would he no remote\n          access into KefU~ml OPM applications whi ch ore not running on _\n                  " Hut many (l the remote users rely on _ f or their acc~\n          \xe2\x80\xa2       applications/rom    hom e especial ly f or all R&/J applications. 1\'\'1,\\ PIP:\'; users do\n          not use ~Ilh() uXh CJ:\'; and Fl.)\' support personnel are depende nt on it to maintain\n          app lications, DC has ways 10 access                              applications. maintaining\n          them remotely wit h only a 1\'PN connection. In the event (go disaster, many lisen have\n          heen told to work at home. On th e second day of the test, -,\'liM cha nged its po sition and\n          assisted one . :\\1SA& C home user in San Francisco to gain access to fl ew _             which was\n          successfur\n\n         _      access was s uccessfu lly tested on a small scale. This entry is intended to\n         document that success and sug:~est expllnding: te~ting: o f _ access during future\n         OR exercises. More robust tests of the_DR will be conducted after tbe new\n         _infrastructure is deployed in Macon, GA . ~M manages _                    and decides\n         the scope of the _      te st.\n\n      2,\t There \\Vas no e-mail access duri ng the lest (L~ requeste d by many user s. There is a p lan    (0\n          recover some e-mail services in Boyers. PA as pa rt (~f,\'v\'A.rs Disaste r Recovery Plan\n          OPAl users who are ut ho me and ha n? their own Internet Service Provider. could use\n          WebMail to access the recovered system provided the e-Mail sen \'en are no! hosted in\n          THH. Home users who rel y on _        will not be {I Nc fO acce ss e-mail,\n\n          This entry is intended to raise th e possibility of testing:cJ\\.\xc2\xb7lail during: futu re I)I{\n          exercises. Tests of e-MailllR have been successfully performed independent of the\n          E St DR exercise. NI\\-l manages e-Mail and related e-Mail DR tests.\n\n      3.\t There is (J continuing review underway to address the spee d ofthe two communicat ion\n          Jines: Sterling Forest, AT 10 Boyers. PA and Sterling Forest to Macon, GA_The Sterling\n          Forest /0 Boyers connectivity consists ofthree T-l circuits today and may need 10 he\n          upgraded to DS-3 speeds in a r eal DR, DC needs to ensure the process is in place 10\n          exercise the option. The T\xc2\xb7 ] circuit front Sterling Forest to Macon. GA may need to\n          upgr aded i ll the erem ofa disaster since Macon wo uld be the location (!lOI\'Jj \'s /SI\'. II\n\x0c                                                                                                   4\n\n\n   NAf would implement diverse routing. ISP traffic couklflowfrom Macon to Boy ers over\n   IJS-3 /im:s lind then come into Sterling Forest on olle ofthe three T-l circuits.\n\n   A l>S-3 communication circuit between Sterling Forest, NY and Boyers, PA has\n   been installed ami tested will be used in the 2011 EST DR exercise.\n\n-I,\t There are -10 + FI,)\' Federal rem ote sites which are connected throug h Sprint MPLS\n     connectivity into Washington DC \'s TRB. The p lan is tofailoverfrom TRB to Boyers. 1\'.\'1\n     in the event ofa disaster. This was tested and was successfulfor the three locu tions\n     tested.\n\n   FIS relies on work performed at FlS remotes sites. This entry documents the fad\n   that Sprint MPLS connectivity, though not ESI hosted, was successfully tested\n   during this year\'s DR exercise. This is pesinvc; not negative.\n\n5.\t There arc ab out 10+ FIS Federal remote sites connected using an Inte rnet connection. A\n    SIT/all VPN app liance was hosted out a/O PAl Macon, (; A which serviced the testing f rom\n    Miami, Fl.. The lest was successful.\n\n   FlS relies on work performed at FIS remotes sites. This entry documents the fact\n   that an Internet connection "as successfully tested during this year\'s UH. exercise.\n   This is positive; not negative.\n\n6.\t FIS has field investigators who carry laptops and access the PIPS\' sys tem remotely. The\n    remote test coming through the Internet \\ I"GS successful even though there is no ISP\n    providerfor Boyers. PA. OP_H has links 10 the lrnentet throuXh TRB and Macon. GA.\n    L)\'}> access into /\'/I\'S is r eI)\' new lind expanding A portion ofremote access is through\n    dial circuits into VPN concentrato rs. A growing population of remo te FIS users are\n    coming throug h the Internet which would imply remo te connectivity using the Internet\n    would have 10 come through OI),H \'s ;\\//1(.: 0 11. Gil lSI\'. Macon was pro visioned with a\n    small VP.iV appliance/or the test and it U"(lS successful. The locu tion is not hosted with\n    significant sized ~ T l\'..\'app liances 10 host the entire PIS workl oad. There are no VI\',\\\'\n    concentrators hosted in Sterling Forest as purl ofthe                        t . Therefore in the\n    event ofdisaster. FIS Federal Invest igators IF() U!d have to visit their many remote sites 10\n    enter data.\n\n    FIS relies on the invesngators being able to upload their data from their laptops via\n    the Internet. This entry documents the successful test of this functionality but r..ises\n    the potential capacity limitation of the Macon, GA VP~ concentrator in providing\n    access for large numbers of FIS investigators during a disaster. N"M manages the\n    VP.:\'oI concentrators and related DR lests,\n\n\n7.\t There was no capabilityfor the fixed FIS remote sites (numbering 5(J+) to be able to\n    print reports dur ing the dis aster. The LAN printing methodology implemented has yet to\n    provide redundant LAN print queue .l\xc2\xb7 in other tha n the TRfl locat ion Printfrom PIPS\'\n\x0c                                                                                                 5\n\n    travels front the\t                     to the remote loca lion PIPS terminal and then is\n    handed offto the\t                              \'. The local high speed ne twork printer is\n    only accessible using Washing ton IJC TRn hasted\n\n    This DR prinlin~ capability issue is understood b)\' NM and FIS. DC worked with\n    others m develop a detailed set of instructions nn how to utilize "Named Printer"\n    capability that mitigates the problem by bypassing the\t                    . These\n    instructions were distributed to about half flf the remote F1S locations. In order to\n    ~it)\' the staff in each location must make cbanucs to bypass the\n    ~ . Some of the field offices deployed the changes and found they\n    work "ell; other offices did not attempt to make the changes. The "Named Printer"\n    change mitigates this problem, but the change must be performed in the field hy FIS\n    staff.\n\n8.\t Merit Syste ms Accountability & Compliance personnel arc located in external OI\'M sit es\n    arou nd the coun try. Their offices are connected to O PAl inlo Washington DC \'.\'I TR E.\n    There arc no ,VA1 provisionsfor these circ uits to be replaced by comp arable ones in\n    Boye rs. PA or Macon. GA. Testersfrom the and San Francisco, eA an d Philadelphia. PA\n    offlces were successful accessing their _         application called _ from their hom es\n    using specinllv provisioned means ofaccess n llled _           Using this home access they\n    have no f acility 10 print. Priming is one of their requ irements. The implication is all\n    t hmtan Capital l.eadership and Mer it Accountability offices )\\JIO are connected using\n    dedicated 1\'-1 circuits into Washington DC \'s TRB must workfrom home lI.~in}!, _\n    There was a very limited tes sf rom San Francisco using the nel4\xc2\xb7\' ~ sys tem. ~\n    _            has not been implemented to attempt to d() ~ printing 1t is being\n    recomm ended 10 JlSA &C they request to be moved to NAt\'s ,lIPI.S or Internet\n    connections using a Vr N. Ifthis is completed then the will have access 10 the Disaster\n    Recovery system in Sterling Fore st , LV}:\n\n    Merit Systems Accountability & Com p lia nce personnel do not have access to _\n    _           a p plica ti ons during a disaster because the)\' are still using dedicated T-l\n    circuits, These circuits should be r eplaced with modern communications capability,\n    This is a NM engineering issue.\n\n9   In the ]009 rest, the Service Credit applicat ion was never successfutlv re covered. III the\n    20 10 test. the A18F R&B Retirement application call ed Ser vice Credit was /10 1 attempted\n    because of p roblems in the application unrelated to Disaster Recovery.\n\n    The ESI hosts the bulk of the Retirement System applications. A number of years\n    ago a key part of the system, Service Credit! was moved outside the ESI to the\n    distrihutcd platform. The Data Center recommend.... that Service Credit he in cluded\n    in the a nnu al ESI I)R exercise as it is an integral part of th e retirement system.\n    Recovering and testing it is outsid e th e purview of the DC.\n\n10. ln the 2009 test. the                       was successfully recovered bUI only able 10 be\n    tested in Boye rs. Inthe ]0 J() test. the MHF R&H Rvtiremcns applica tion clIllcd _\n\x0c                                                                                                6\n\n\n   was successfully recovered on the rep lacement                     in Boy ers, PA. Testing of\n   the system was successfully completed by personnel in Hoyer.s. I\'A and able 10 be tested\n   successfully by personnel in the Gaithersb urg, "ID testing locat ion.\n\n   This entry documents the fact t h a t _ , though not ESI hosted, was successful\n   recovered and tested during this yearts ~:Sl DR exercise. This is positive; not\n   negative.\n\n11. The Chic/ Financial Officer \'s (CFO ) system culled PFIS was 1U!\\\'Cr successf ully\n    recovered un the replacement                   in Boy ers. PA. in the 2009 test, the fest\n    was never successfully recovered. The new impleme ntation o/ClJIS\' at an out sourced\n    location has a dependency on PFJ,,,\' within OI\'M to process financial data and invoices\n   for FIS. The CFO chose to exclude PFlSf rom the 2010 DR test\n\n   The PFIS applicution runs on a server outside the E:SI. Recovery of I)FIS was not\n   attempted during the t:SI DR exercise. This is mentioned for the sake of\n   completeness as PFIS is a financial component that interfaces with the FIS\n   application suite. Recovering and testing it is outside the purview of the DC\n\n12. The R&B Insurance Services application called FH/lIJ](){)() was successfully recovered\n    on a replacement                    located in Boy ers, FA, The system was thoroughly\n    tested and is the second time in a row if has been successfully recove red and used in a\n    DR fest.\n\n   This entry documents the fact that FEHB2000. though not E51 hosted, was\n   successful recovered and tested during this lear\'s r,SI IlR exercise. This is pusitive;\n   not negative.\n\n13. The F!.~ e-QII \' server did nor participate. \'llle c-QIP operational plan has it\n    being hosted in Boyers. Pnfor six (6) months lind then hosted in Washington DC \'s TRE\n   jar six (6) months. The server H\'W\' located in Boyers al ready during this test. Fail-over is\n    demonstrated en\',)\' six (6) months. 7111.1\' is sufficient evidence thai e-QIP is recoverable\n    in the event ofa disaster.\n\n   The KSI hosts FIS\'s Persennel lnfurmatiun Processing S~~I)licalion.\n   I<>QIr. an integral part of the PIPS syst em, is hosted on a - - \' outside the\n   ESI. For the sake of completeness, the independent e-QIP test was reported in tbe\n   ~:Sl exercise summary. This is IHJsitin; nut negative.\n\n\n14. There wm .vIm /10 connection availablefor DR to the FI.\\: contractor IlO.l-red .\n                                for outside agency access using the AgetUT Menu. In the event of\n    a disaster. this would exclude outside agency access, Numbering 2K i usersfront\n    accessing I\'ll\'.\')\'. In the event ofa disaster. this critical requirement would 110 f he\n    avaiiubte with the /2 hour window required.\n\x0c                                                                                                  7\n\n\n   The ESI hosts F1S\'s I\xc2\xb7IPS a pplica tion. A he)\' rJlls remote user     llCCl\'SS   facility is\n   hosted a t . (a contractor site). Ff S contracted for these serv ices and did not to\n   include them in the ESI OR exercise. Remote access has always been part of each\n   F:SI OR exercise. and the nun -parti cipation o f . ha s been r eport ed to FIS each\n   year. The}\' have taken no action to correct this deficiency. Since the cuntr ae t is\n   owned and managed by FIS co rrecting this deficiency is outside the purview of the\n   1lC.\n\nJ5. There was n() PIS Department of Defense (DOD) JPAS connection available for DR\n    where inquiries ar e passedfront DO/) to O PAl In the event afa disaster. this cri tical\n    requirement wo uld n01 be available with the 12 hour window required.\n\n   The F.Sr husts FlS\'s PIPS application. A key PIPS remote DOD user access facility,\n   .JPAS , is hosted through a con nect ion from the                                FIS\n   requested the connection originally through the Pentagon a nd new has the\n   connection to IIIIdircctly. Remote access has always been part of each E SI DR\n   exercise, and the lack ora .WAS ilK con nect ion has be en reported tn FIS each year.\n   The)" have taken no action to correct this deficiency. Since the connection\n   agreement is between IfIS and non, correcting this deficiency is outside the\n   purview of the DC.\n\n/6, A number oj                  File transfers wa C? inclu ded in the Plan supporting various\n    Lines of Business:\n\n        a.\t FiS - _                 fiw credit information (futu re)\n        b.\t FiS _ _ for credit in/ormation (fu!IIre )\n        c.\t FI,\\\' - U.\\ \' Cen sus (futur e)\n        d.\t Fl S - FBi (fut ure)\n        e. FIS - Agency Delivery (future )\n\n       f PIS - IRS (future)\n\n       g.\t E-HR I- Human Resources dat afrom e-i IRI \xc2\xb7.Y contractor H\'as s uccess ful because\n            oflP addressing issues a ll NM \'s part along with e-Hkls need to cut short the\n            time allocated 10 the exercise.\n       II.\t R &B - A nnu it y Payro ll data completed 10 FAlS \'s Kansa s City, A!O loca tion\n            ( sncccssfut )\n        i.\t Human Resources So lutions - Data exc hanges (success tul)\n       J.\t R &B - Social Secu rity Administration (future ]\n\n   The ESI provides the bulk of OI\'\'\\l\'s electronic data excha nge services. As part of\n   the disaster preparedness services pruvided by the nc, recommendations are\n   provided to Lint\'s of Business and CIO\'s application s uppo r t areas. The a bove list\n   descrtbcs those data exchanges the DC believes to be key and should be co nside r ed\n   for testing b)\' the Lines of Bu siness. Since ea ch Line of Business determines what is\n   important for them to test the DC only offers its r ecommendations. For the sa ke of\n   completen ess, this nh....ervatio n documents th e advice and results. Of the 10 rests\n   recommend ed 3 were su ccessfully tested and 7 were de ferred by the Lines of\n\x0c                                                                                                 8\n\n   Business. The Lines of Business      ma~\xc2\xb7   wish to consider testing these data exchanges\n   in the 2011 ESIUH; exercise.\n\n/7\t No discussions were conducted hy FI,)\' oft esting DR connectivuyfor its USIS Kroll. and\n    CACI contractors. This sho uld he consideredfor the DR ]OW fest. These contractors are\n    an essential part ofFIS operations and would be needed in the event ala dis aster.\n\n   The F:SI hosts FIS\'s IlU-S applicat ion. As part of the di saster preparedness services\n   provided hy the DC, recommendations an" provided to Lines of Uusiness and c ur s\n   application support areas. The above observation lists contractors the DC believes\n   FIS should consider including in the ESI DR test. Sfncc each Line of Business\n   determines what is important fur them io test. the nc is only in a position to offer its\n   recommendations. FlS may wish to consider including the above contractors in\n   future tests, hut doin~ so is a F1S decision.\n\n/8. There were DNS prohlems throughout the lest rep/IF addressing is the respons ibility of\n    NAL One ofthe major problems J.i-\'as the lack ofdocumentcuian crea ted hy N Xf and in the\n    coordi nation of DC and ;,,\'.\\1 abou t what IP addressing will he used during the test . /\\,,\\1\n    personnel are rota ted into the test ncw each year which does not provide lime to\n    complete the experience of one test and am)\' it forword into the next year. DC and JV,H\n    suiffs needs to work closer p rior to the (est to ensure suffici ent kno wledge ofrelevant\n    network topology and seui ngs are is in place in order 10 de bug network issues in a timely\n    manner. A bright spot in this y ears test for N.H is the work                     who\n    prefo rmed the dut ies o/ NAr.., DR Project Manager. His organizational skills greatly\n    assisted in coordinating the work of the NAJparticipants. Unlike DC staffwho are\n    located in Sterling Forest and Gaithersburg. NA! has stofflocated in Sterling Forest.\n    Gaithersburg, Boyers. Macon, and Ft Meade.\n\n   The structure of the network tUflolul!)\' during a real disaster would have few if any\n   cha nges. However, during an I<:SI UR exercise the production systems in TRU must\n   continue to operate but be blocked from~ Sterling Forest and Gaithersburg\n   recovery site access. The complexity associated with n"eontigurin/!; the network and\n   rerouting applications for the ESt DR exercise is significa n t Each year the\n   coordination between th e various organizations has improved. The ultimate goal is\n   to have the overall test be executed precisely and have :111 parts work the first lime.\n   This observation is intended as a reminder to ensure all ESI DR exercise\n   participants st r ive to improve UR test documentation prior to the annual exercise to\n   achieve this goal. This does not impact the recovery of th e ESI during an actual\n   disaster.\n\n\nJ 9.\t The conunued refinement ofthe documentation prodded hy DC of the DR URLs needs to\n      he continued. There were afew cases where the URL in the Test Plans did not match with\n   what eventually worked. Work needs 10 befocused on how these URLs are made\n   avatlabte throug h the nvs Servers ma inta ined by ;\\lM.\n\x0c                                                                                                  9\n\n\n         This issue relates to Observation 18 (above). Along with refining the DR exercise\n         documentation the method of accurately determining and deploying URLs should\n         be improved to avoid errors. This must be a joint effort between NM and ne. This\n         does not impact the recovery of the ESt during an actual disaster.\n\nThe 2010 OIG Audit report recommends:\n"Recommendation 2\nWe recommend that OC10 develop and implement a plan to remediate weaknesses identified\nduring ES1 disaster recovery tests: remediation activities should be tracked on the ES1 POA&M"\n\nCIO Comment:\nWe disagree in part with the recommendation. Clearly there are not 19 weaknesses. However, the\nlist of observations should be reviewed to determine which, if any, of the items are actual\nweaknesses. The Data Center agrees that any items found to be actual weaknesses need to be\ndocumented in a POA&M and a plan developed to remediate them. However, the Data Center\ndoes not control infrastructures outside the EST, nor does it determine which tests will be\nconducted by the Lines of Business or other organizations. During the EST DR exercise the Data\nCenter recovers the EST environment and executes tests to ensure the platform is wholly recovered.\nWhile the Data Center can make test recommendations, decisions regarding the testing of\ninfrastructure external to the EST and customer applications are outside the control of the Data\nCenter. Any weaknesses found during the review of the list should be documented and tracked in\nthe POA&M of the organization responsible for taking corrective actions; not necessarily the EST\nPOAM. Likewise, plans to rcmediate any weaknesses should be developed by the parties\nresponsible for taking corrective actions.\n\nX.       NIST SP 800-53 Evaluation\n\nThe 2010 OIG Audit report states:\n"Although the OC10\'s Security and Privacy Group is currently developing a list ofcommon\ncontrols that ES1shares with other systems. this information has not been formally documented\nand shared with other OPMprogram offices. Without a well defined list ofcommon controls, the\nowners ofother systems must use their own judgment to determine which security controls are\ninheritedfrom ESI, increasing the risk that these systems have controls that are not adequately\nimplemented or tested. ..\n\nCIO Comment:\nWe concur.\n\nThe 2010 OIG Audit report recommends:\n"Recommendation 3\nWe recommend that OC10fiJrmal(v document common controls provided by ES1 and implement a\nprocess to share this information to the owners ofother applications relying on this support\nsystem. "\n\nCIO Comment:\n\nWe concur. This work is in progress.\n\n\x0c'